The game source codes for Cyberpunk 2077 and The Witcher 3 have sold for a reported $7 million in a dark web sale, just days after hackers threatened to share the leaked data online if CD Projekt Red didn’t “pay up.”
The underground sale — which saw game source codes for Cyberpunk 2077, The Witcher 3, and Thronebreaker: The Witcher Tales trade hands — was done behind closed doors, after the hackers originally announced they would be auctioning off the hacked data to the highest bidder.
Cybersecurity firm Kela confirmed the auction had been closed on Feb. 11, after the CDPR hackers received “a satisfying offer” from “outside the forum.”
Well-known data security source vx-underground also confirmed the sale.
Files relating to “accounting, administration, legal, HR, investor relations, and more” were allegedly included in the original leak. It is unclear whether these files were also sold off to the unknown bidder as part of the alleged $7m deal.
The huge sale did include an undeclared new version of The Witcher 3 which included raytracing; “dumps of internal documents” and CD Projekt Red’s offenses were too. The auction was originally penned to begin at $1 million USD, through Bitcoin. There were expectations the bidding would last around 48 hours.
Source codes for CDPR’s spinoff Witcher card game “Gwent” were also leaked earlier this week, for free. These included assets, caches, and Test framework files.
The dark web sale happened just days after CD Projekt Red declared they would “not give in to the demands nor negotiate with the actor.”
It was first publicly revealed there had been a security breach when the Cyberpunk 2077 developers took to Twitter on Feb. 9 to confirm the leak. They posted a short statement, as well as the “ransom” letter sent from the source code hackers.
“Hello CD PROJECKT!! Your [sic] have been EPICALLY pwned!!” the note read. “We have dumped FULL copies of the source codes from your Perforce servers for Cyberpunk 2077, The Witcher 3, Gwent, and the unreleased version of Witcher 3!! We have dumped all your documents… [and] encrypted all your servers.”
“If we will not come to an agreement, then your source codes will be sold or leaked online and your documents will be sent to our contacts in gaming journalism.”
The Polish-based Cyberpunk 2077 game studio — who have been under the pump for the failed launch of their 2020 title — refused to bow to the hackers’ demands. As a result, the leaked game source code seems to have now been sold.
Though the CD Projekt Red hackers have not officially been named, a security researcher told The Verge it involved the use of the HelloKitty ransomware. This was last used to hack Brazilian power company CEMIG late last year.
- Read More: Cyberpunk 2077 mess: how it happened
CDPR has confirmed they are working with law enforcement to “shed further light” on the breach. There have been no further updates from the studio.